[Mod-security-developers] CRS DoS protection & x-forwarded-for header
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] CRS DoS protection & x-forwarded-for header
|
From: Oleg G. <ole...@ya...> - 2011-04-28 23:33:03
|
I'm not sure if I can discuss CRS rules here. If not, please let me know what the right place is. I want to suggest an improvement to DoS protection in CRS 2.1.2. The problem is that enterprise applications usually run behind load balancers, so relying on remote_addr doesn't make too much sense, because you'll always have an LB's IP in there. My improved rules (attached) check for x-forwarded-for header and if it's present, this IP will be used to initialize IP collection. If it's not then the old logic will be used. It would be great if we can include this improvement to the next CRS release. Thanks, Oleg. |
